Threat of the Week: Authenticating With Devices

Call this not a threat but a possible salvation. Increasing numbers of experts are giving up on the traditional username/password login and are beginning to look at devices themselves as possible authenticators of identity.

As for the problem with traditional logins, many experts point to the recent wave of massive cyber breaches – at Adobe, LexisNexis, Dun & Bradstreet and Kroll Background America as for instances. Exact details of the how-to of the breaches has not been released but in past cases often the key that unlocks the computers is when an employee inadvertently gives up his/her login, through keylogging or social engineering.

Thus the rising despair about old-fashioned logins.

Mobile devices, in particular, offer fertile identification tools. Every recent cellphone, for instance, ships with a built-in IMEI, which is a 15-digit, unique identifying number. There are ways to alter an IMEI but that technology is in its infancy. In most cases IMEI is as solid as a fingerprint.

Mobile devices also come with rich location information and if, suddenly, a user from Jersey City N.J. is attempting to log in from Saigon, that’s a red flag.

Add it up and will devices themselves begin to take over more of the authentication burden from consumers? Experts surveyed by Credit Union Times said that day may be coming sooner than you think and that could be very good news for beleaguered security managers.

“For most things, device ID is much better than user ID. Devices are really good at security, People are really bad at it,” said Andy Tarbox, an executive with Wave Systems, a Lee, Mass., company that is building out a networking model based on “trusted computers.” The idea: it’s possible to know enough about a computer to know it is a reliable friend. “There is a real movement towards security based on strong device identification,” said Tarbox.

Not so fast, say others.

“There’s a great interest in using mobile devices, but it won’t be widely adopted before most consumers have these devices,” said John Pironti, president at consulting firm IP Architects and an ISACA advisor. “There’s the lowest common denominator problem,” said Pironti, by which he meant a financial institution is unlikely to require a customer or member to have a smartphone and those who don’t need an access route in – which means mobile cannot by itself secure the perimeter.

Pironti also pointed to the fact that sometimes, in some places, there just is not access to cellular devices – on airplanes, for instance, and also in parts of rural America. There needs to be more ubiquity of access and ownership, he suggested, until mobile devices become the centerpiece in secure logins.

“Probably this eventually will go places,” said Pironti, “but I believe device authentication will be one of several options.”

Pironti’s cautions may be on the money. Even so, many pioneers are taking steps to hurry the arrival of devices into the center stage of authentication. At iovation, for instance, Chief Technology Officer Scott Waddell explained that the company’s business revolves around building reputation histories for particular devices – and that those reputations can help financial institutions decide to grant or deny access.

Say a legitimate user name/password is used – but the access is coming from Lagos, Nigeria using a device that has a reputation of involvement in scams and con games. That might be an easy decision, but it proves a point: knowing more about the devices is a step towards more- secure financial transactions.

Waddell himself cautioned however that useful as knowledge of a device can be, “we also know that devices can be tampered with.”